CSRF protection for subscription/unsubscription

darcs-hash:20080829051104-84dde-9bd23c28c2c8a720046060a33ff3e5f246c47116.gz
2008-08-29 01:11:04 -04:00 · 2008-08-29 01:11:04 -04:00 · 4272da4e9e
commit 4272da4e9e
parent 2e239e3fbb
3 changed files with 20 additions and 0 deletions
--- a/actions/showstream.php
+++ b/actions/showstream.php
@ -179,6 +179,7 @@ class ShowstreamAction extends StreamAction {
 	function show_subscribe_form($profile) {
 		common_element_start('form', array('id' => 'subscribe', 'method' => 'post',
 										   'action' => common_local_url('subscribe')));
+		common_hidden('token', common_session_token());
 		common_element('input', array('id' => 'subscribeto',
 									  'name' => 'subscribeto',
 									  'type' => 'hidden',
@ -200,6 +201,7 @@ class ShowstreamAction extends StreamAction {
 	function show_unsubscribe_form($profile) {
 		common_element_start('form', array('id' => 'unsubscribe', 'method' => 'post',
 										   'action' => common_local_url('unsubscribe')));
+		common_hidden('token', common_session_token());
 		common_element('input', array('id' => 'unsubscribeto',
 									  'name' => 'unsubscribeto',
 									  'type' => 'hidden',
--- a/actions/subscribe.php
+++ b/actions/subscribe.php
@ -36,6 +36,15 @@ class SubscribeAction extends Action {
 			return;
 		}

+		# CSRF protection
+
+		$token = $this->trimmed('token');
+		
+		if (!$token || $token != common_session_token()) {
+			common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
+			return;
+		}
+
 		$other_nickname = $this->arg('subscribeto');

 		$result=subs_subscribe_user($user, $other_nickname);
--- a/actions/unsubscribe.php
+++ b/actions/unsubscribe.php
@ -33,6 +33,15 @@ class UnsubscribeAction extends Action {
 			return;
 		}

+		# CSRF protection
+
+		$token = $this->trimmed('token');
+		
+		if (!$token || $token != common_session_token()) {
+			common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
+			return;
+		}
+
 		$other_nickname = $this->arg('unsubscribeto');
 		$result=subs_unsubscribe_user($user,$other_nickname);
 		if($result!=true) {